h1. Ecryptfs

{{>toc}} 

h2. La méthod root

* Permet de choisir le répertoire crypté

* Utilise une passephrase 

* Ne dépends pas de logiciel exterieur

h3. Configuration

Création des répertoires 

<pre>

# mkdir -m 500 -p mysecretdir

# mkdir -m 700 -p .mysecretdir

</pre>

Initialisation du répertoire crypté:

<pre>

# sudo mount -t ecryptfs -o no_sig_cache .mysecretdir mysecretdir

Passphrase: *your_passphrase*

Select cipher: 

 1) aes: blocksize = 16; min keysize = 16; max keysize = 32

 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56

 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24

 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32

 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32

 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16

Selection [aes]: *<enter>*

Select key bytes: 

 1) 16

 2) 32

 3) 24

Selection [16]: *<enter>*

Enable plaintext passthrough (y/n) [n]: *<enter>*

Enable filename encryption (y/n) [n] : *y*

Filename Encryption Key (FNEK) Signature [XXXXXXXXXXXXXXXXXXX]: *<enter>*

Attempting to mount with the following options:

  ecryptfs_unlink_sigs

  ecryptfs_fnek_sig=XXXXXXXXXXXXXX

  ecryptfs_key_bytes=16

  ecryptfs_cipher=aes

  ecryptfs_sig=XXXXXXXXXXXXXX

Mounted eCryptfs

</pre>

On peux memoriser les options choisi dans son /etc/fstab comme ceci pour quelle ne soit pas redemandé à chaque montage:

<pre>

/home/sileht/.mysecretdir /home/sileht/mysecretdir ecryptfs noauto,ecryptfs_enable_filename_crypto=y,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=XXXXXXXXXXXXXX,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=XXXXXXXXXXXXXX,ecryptfs_passthrough=no,no_sig_cache 0 0

</pre>

h3. Utilisation:

si il n'est pas monté: 

<pre>

# sudo mount mysecretdir

</pre>

Puis,

<pre>

# echo "TEST" > mysecretdir/test

# sudo umount mysecretdir

# find .mysecretdir 

.mysecretdir

.mysecretdir/ECRYPTFS_FNEK_ENCRYPTED.FWZSxtNBzRhUc-T0igL-f2xajxDl2TU2MN3yqm0Itm4EZOA0-Ks4Ul599k--

# sudo mount mysecretdir 

Passphrase: 

Attempting to mount with the following options:

  ecryptfs_unlink_sigs

  ecryptfs_fnek_sig=5ef7964dfddb60a0

  ecryptfs_key_bytes=16

  ecryptfs_cipher=aes

  ecryptfs_sig=5ef7964dfddb60a0

Mounted eCryptfs

# cat mysecretdir/test 

TEST

</pre>

h2. La méthode userland

* Le répertoire crypté est forcément Private et .Private

* Ce mountage est automatiquement monté/démonté à l'ouverture/fermeture de session (optionnel)

* Utilise le mot de passe de login et le trousseau de clé de la session utilisateur

h3. Configuration

<pre>

# ecryptfs-setup-private [--noautomount]

Enter your login passphrase [sileht]: *<login password>*

Enter your mount passphrase [leave blank to generate one]: *<enter>*

************************************************************************

YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.

  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.

************************************************************************

Done configuring.

Testing mount/write/umount/read...

Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

Inserted auth tok with sig [adb24429adf745ac] into the user session keyring

Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

Inserted auth tok with sig [adb24429adf745ac] into the user session keyring

Testing succeeded.

Logout, and log back in to begin using your encrypted directory.

</pre>

Et c'est tout!

h3. Utilisation

<pre>

# ecryptfs-mount-private 

Enter your login passphrase: *<login password>*

Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

# echo TEST > Private/test

# ecryptfs-umount-private

# find .Private

.Private

.Private/ECRYPTFS_FNEK_ENCRYPTED.FWahgYEdfTR3f-RdHuZMGUBU4uG4WV898FA9hmsdE.MuvMqujcoOMMUII---

# ecryptfs-mount-private 

Enter your login passphrase: *<login password>*

Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

# cat Private/test

TEST

</pre>